I have a Linux machine where I have configured an audit rule for monitoring any types of changes on a file. This is the rule I placed in /etc/audit/audit.rules file:

-w /home/ec2-user/splunk-test/secret-file -p rwxa -k log_everything

This file is under ec2-user ownership, and I have created one more user called as user1. I am trying to access secret-file with this user1, which is permission denied by default (expected). But nothing is being logged in the auditd log file. I have checked keeping 2 windows, simulataneously executing vi function as user1 and on the other window, watching log file changes.

I have tried "vi" as root user, the same is being logged in auditd logs. But when I try the same as user1 user, nothing is being logged in. (FYI, I have permissions of this file as 660) - NO READ PERMISSION TO WORLD.

Am I missing something here (maybe in auditd configuration), for the proper logging of any attempts made to this file? Can someone please help me at the earliest.